It's getting harder to justify not having a CISO, so many businesses that have never had a CISO are filling the gap with a virtual CISO. A vCISO, sometimes referred to as a fractional CISO or CISO-as-a-Service, is typically a part-time outsourced security expert who helps businesses protect their infrastructure, data, personnel and customers.
Depending on the needs of the company, vCISOs can be onsite or remote, long-term or short-term.
There are plenty of reasons why companies are going the vCISO route.
Sometimes it's an internal crisis where a company's CISO has unexpectedly resigned and the board needs time to find a permanent new one.
If the company needs the vCISO for 40 hours a week for some period of time, that's also okay.
In addition to smaller businesses, organizations in the SaaS, manufacturing, industrial and healthcare industries are also good candidates for the vCISO model.
While some believe the financial arena can also be a good fit for vCISOs, others say the area is so heavily regulated that financial institutions should have their own full-time CISOs.
What vCISOs Do The most common duties vCISOs perform for companies includes Governance, Risk and Compliance, developing and executing strategic plans and evaluating and enhancing security maturity, according to a Hitch Partners report.
Experienced vCISOs will understand cyber risk, technology and enough about the business to orchestrate an effective security strategy.
Nick Shevelyov, who spent years as a CIO and then CISO at a San Francisco area bank, says he routinely called in vCISOs to pick their brains and learn from them.
Today, Shevelyov is an executive cybersecurity advisor and vCISO operating his own boutique consultancy.
Companies even engage a vCISO to define the role within the company so the vCISO can eventually prepare the next, permanent CISO to take over.
Companies interested in finding a vCISO have plenty of options.
In addition to asking industry experts they know, they can find plenty of candidates from large consulting firms, boutique firms specializing in vCISO services and managed services provider.
The key, Eubanks says, is that candidates have experience working as a CISO, preferably in the same industry as the company seeking the vCISO. Finding the Right vCISO Fit A few years ago, when a mid-sized credit union unexpectedly lost its cyber leader to one offering more money, it found itself at a crossroads.
So while the executive team prepared for a months-long search for a new CISO, it turned to global consulting firm Protiviti to provide a part-time temporary CISO. Finding the right vCISO for that mid-sized credit union took some work on Protiviti's part.
With that in mind, define the scope and outcome expectations of the vCISO role clearly.
There are plenty of places to look, but finding the right person-someone who understands your company's dynamics and has the right experience-can be frustrating.
Familiarity with the industry can be important, because it reduces the learning curve and helps ensure that the potential vCISO understands your company's issues.
While compatibility is important, the right vCISO can override some of it.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 04 Jan 2024 04:45:25 +0000